How Aviatrix Improves Amazon WorkSpaces Connectivity

Cloud System Engineer, Aviatrix
April 19, 2018

In May 2016, the Amazon Web Services (AWS) website ran a blog post titled, “I Love My Amazon WorkSpace!” Since then, the virtual desktop infrastructure (VDI) has continued to get rave reviews.

BUT—and there’s always a ‘but,’ isn’t there?—some of the connectivity aspects of Amazon WorkSpaces have proven to be complex and a hassle to manage. That’s why Aviatrix stepped in, to make it easy to manage Amazon WorkSpaces beyond AWS, providing essential network connectivity to the datacenter and branch offices.

Making Connections to Active Directory

Amazon WorkSpaces offers several ways to authenticate against your existing Active Directory (AD), the user directory and identity management solution that allows login to your enterprise resources. You can spin up AD in your Amazon WorkSpaces environment, which synchronizes with your on-premises AD server to give you identity management in the cloud. Or you can use AD Connect, a lightweight software that helps you access AD on-prem.

To accomplish any of these options, you will need secure network connectivity between your Workspaces environment in AWS and your on-prem network. Given the sensitive nature of so much user data—including email addresses and other personal information—these connections should be encrypted. As soon as you try connecting Amazon WorkSpaces to other on-prem or public cloud resources, you’re squarely in the realm of traditional networking technologies and processes. Thus, to enable WorkSpaces with AD, someone has to configure VPN, IPsec, or Direct Connect to establish connectivity.

Aviatrix purpose-built cloud networking software provides cloud and DevOps teams with a self-sufficient, point-and-click UI for making quick, simple connections between your on-premises AD and your Amazon WorkSpaces environment in the cloud. Now, your desktop teams can operate like part of your cloud team, no longer relying on trouble tickets and enduring long wait times for provisioning and troubleshooting.

Providing Policy-Based Access to Enterprise Applications

Once you have your Amazon WorkSpaces desktop in the cloud, you need access to all your enterprise applications, no matter where they’re located.

Here’s one scenario: A user in HR wants access to the enterprise HR system to run reports. The HR application is running on-prem, with all the right policies set up. How do you set up and manage firewall permissions from the user’s workspace to the approved applications? How do you segment this HR traffic from, say, finance users accessing financial apps? This kind of segmentation is really difficult to implement and manage natively in AWS WorkSpaces.

By using Aviatrix gateways, you can get the job done thanks to an easy-to-use web console or using APIs (if you practice infrastructure as code). The network segmentation is enforced by the Aviatrix gateways using a built-in stateful firewall. The Aviatrix gateways enable Amazon WorkSpaces users to access approved enterprise applications, whether the applications are located on-prem, in another cloud environment, or hosted as SaaS. The gateways segment and filter traffic for the respective Amazon WorkSpaces to their required applications. This traffic flow can be logged to analytic systems such as Splunk, Datadog, Sumologic, and others, for audit and compliance reasons.

In addition, the Aviatrix solution addresses the issue of IP address conflicts when connecting applications between on-prem datacenters and public clouds. The solution could potentially eliminate the need to re-factor or re-IP on-prem environments to avoid conflicts with AWS networks.